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Abstract — We introduce a technique for synthesis of control 
and communication strategies for a team of agents from a 
global task specification given as a Linear Temporal Logic 
(LTL) formula over a set of properties that can be satisfied by 
the agents. We consider a purely discrete scenario, in which the 
dynamics of each agent is modeled as a finite transition system. 
The proposed computational framework consists of two main 
steps. First, we extend results from concurrency theory to check 
whether the specification is distributable among the agents. 
Second, we generate individual control and communication 
strategies by using ideas from LTL model checking. We apply 
the method to automatically deploy a team of miniature cars 
in our Robotic Urban-Like Environment. 

I. Introduction 

In control problems, "complex" models, such as systems 
of differential equations, are usually checked against "sim- 
ple" specifications, such as the stability of an equilibrium, 
the invariance of a set, controllability, and observability. 
In formal synthesis (verification), "rich" specifications such 
as languages and formulas of temporal logics are checked 
against "simple" models of software programs and digital 
circuits, such as (finite) transition systems. Recent studies 
show promising possibilities to bridge this gap by developing 
theoretical frameworks and computational tools, which allow 
one to synthesize controllers for continuous and hybrid 
systems satisfying specifications in rich languages. Examples 
include Linear Temporal Logic (LTL) [1], fragments of LTL 
[2], [3], Computation Tree Logic (CTL) [4], mu-calculus [5], 
and regular expressions [6]. 

A fundamental challenge in this area is to construct 
finite models that accurately capture behaviors of dynamical 
systems. Recent approaches are based on the notion of 
abstraction [7] and equivalence relations such as simulation 
and bisimulation [8]. Enabled by recent developments in 
hierarchical abstractions of dynamical systems [1], it is 
now possible to model systems with linear dynamics [9], 
polynomial dynamics [10], and nonholonomic (unicycle) 
dynamics [11] as finite transition systems. 

More recent work suggests that such hierarchical ab- 
straction techniques for a single agent can be extended to 
multi-agent systems, using parallel compositions [4], [12]. 
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Fig. 1. The topology of the Robotic Urban-Like Environment (RULE) and 
the road, intersection, and parking lot labels. 

The two main limitations of this approach are the state 
space explosion problem and the need for frequent agent 
synchronization. References [6], [13] addressed both of these 
limitations with "top-down" approaches, by drawing inspira- 
tions from distributed formal synthesis [14]. The main idea is 
to decompose a global specification into local specifications, 
which can then be used to synthesize controllers for the 
individual agents. The main drawback of these methods is 
that, the expressivity is limited to regular languages. 

In this paper, we address a purely discrete problem, in 
which each agent is modeled as a finite transition system: 
Given 1) a set of properties of interest that need to be satis- 
fied, 2) a team of agents and their capacities and cooperation 
requirements for satisfying properties, 3) a task specification 
describing how the properties need to be satisfied subject to 
some temporal and logical constraints in the form of an LTL 
formula over the set of properties; Find provably-correct in- 
dividual control and communication strategies for each agent 
such that the task is accomplished. Drawing inspiration from 
the areas of concurrency theory [15] and distributed formal 
synthesis [14], we develop a top-down approach that allows 
for the fully automatic synthesis of individual control and 
communication schemes. This framework is quite general 
and can be used in conjunction with abstraction techniques 
to control multiple agents with continuous dynamics. 

The contribution of this work is threefold. First, we 
develop a computational framework to synthesize individual 
control and communication strategies from global specifi- 
cations given as LTL formulas over a set of interesting 
properties. This is a significant improvement over [6] by 



increasing the expressivity of specifications. Second, we 
extend the approach of checking closure properties of tem- 
poral logic specifications in [16] to generate distributed 
control and communication strategies for a team of agents 
while considering their dynamics. Specifically, we show how 
a satisfying distributed execution can be found when the 
global specification is traced-closed. Third, we implement 
and illustrate the computational framework in our Khepera- 
based Robotic Urban-Like Environment (RULE) (Fig. [T]). In 
this experimental setup, robotic cars can be automatically 
deployed from specifications given as LTL formulas to 
service requests that occur at the different locations while 
avoiding the unsafe regions. 

The remainder of the paper is organized as follows. Some 
preliminaries are introduced in Sec. |ll] The problem is 
formulated in Sec. 



Ill 



An approach for distributing the 
global specification over a team of agents and synthesizing 
individual control and communication strategies is presented 



in Sec. IV The method is applied to the RULE platform in 
Sec. [V] We conclude with final remarks and directions for 
future work in Sec. |VT] 

II. Preliminaries 

For a set S, we use 2^, S*, and S"^ to denote 
its cardinality, power set, set of finite words, and set of 
infinite words, respectively. We define E°° = E* U and 
denote the empty word by e. In this section, we provide 
background material on Linear Temporal Logic, automaton, 
and concurrency theory. 

Definition 1 (transition system): A transition system 
(TS) is a tuple T := {S, SQ,^,T,,h), consisting of (i) a 
finite set of states S; (ii) an initial states sq € S\ (iii) a 
transition relation — S x S; (iv) a finite set of properties 
E; and (v) an output map : S* — > E. 

A transition (s, s') S— >■ is also denoted by s s'. 
Properties can be either true or false at each state of T. 
The output map h{s), where s ^ S, defines the property 
valid at state s. A finite trajectory of T is a finite sequence 
rj- = s(0)s(l) . . . s{n) with the property that s(0) = sq 
and s{i) — ^ s{i + 1), for all i > 0. Similarly, an infinite 
trajectory of T is an infinite sequence rj- — s(0)s(l) . . . with 
the same property. A finite or infinite trajectory generates a 
finite or infinite word as a sequence of properties valid at 
each state, denoted by w = h{s {Q))h{s {!))... h{s{n)) or 
w — h{s{0))h{s{l)) . . ., respectively. 

We employ Linear Temporal Logic (LTL) formulas to 
express global tasks for a team of agents. Informally, LTL 
formulas are built from a set of properties E, standard 
Boolean operators ^ (negation), V (disjunction), A (con- 
junction), and temporal operators Q (next), U (until), 
(eventually), □ (always). The semantics of LTL formulas are 
given over infinite words w over E, such as those generated 
by a transition system defined in Def [T] We say an infinite 
trajectory r-j- of T satisfies an LTL formula cj) if and only if 
the word generated by rj- satisfies 0. 

A word satisfies an LTL formula if (/) is true at the first 
position of the word; Q4> states that at the next state, an LTL 



formula (j) is true; 00 means that (f> eventually becomes true 
in the word; Dcf) means that is true at all positions of the 
word; ipi U(j)2 means 4>2 eventually becomes true and 0i is 
true until this happens. More expressivity can be achieved 
by combining the above temporal and Boolean operators. 
Examples include □0'/' ((f) is true infinitely often) and 000 
(cj) becomes eventually true and stays true forever). 

For every LTL formula (f> over E, there exists a Biichi 
automaton accepting all and only the words satisfying cj) 
[17]. We refer readers to [18] and references therein for 
efficient algorithms and freely downloadable implementa- 
tions to translate a LTL formula to a corresponding Biichi 
automaton. 

Definition 2 (Biichi automaton): A Biichi automaton is a 
tuple B :— {Q, Q"\ T,,S,F), consisting of (i) a finite set of 
states Q; (ii) a set of initial states C Q; (iii) an input 
alphabet E; (iv) a transition function (5 : Q x E ^ 2*5; (v) a 
set of accepting states F C Q. 

A run of the Biichi automaton over an infinite word 
w = w{Q)w{l) . . . over E is a sequence rg = q{0)q{l) . . ., 
such that q{Q) e Q"' and q{i + 1) G 6{q{{),w{{)). A Buchi 
automaton accepts a word w if and only if there exists 
over w so that inf{ri3)r\F ^ 0, where inf(rB) denotes the set 
of states appearing infinitely often in run rg. The language 
accepted by a Biichi automaton, denoted by C{B), is the set 
of all infinite words accepted by B. We use to denote the 
Biichi automaton accepting the language satisfying (p. 

Remark 1: In LTL model checking [19], several properties 
can be valid at one state of a transition system (also called 
Kripke structure). The words produced by a transition system 
and accepted by a Biichi automaton are over the power set 
of propositions {i.e., 2^). In this paper, by allowing only one 
property to be valid at a state, we consider a particular case 
where we allow only one property to be valid at each state 
of a TS by defining h in Def. [T|as a mapping from 5 to E. 
As a consequence, the words generated by T and accepted 
by B are over E. 

Definition 3 (distribution): Given a set E, a collection of 
subsets {Ei C E,i G /}, where / is an index set, is called 
a distribution of E if Uig/E,; = E. 

Definition 4 (projection): For a word w € E°° and a 
subset C E, we denote by w \s the projection of w onto 5, 
which is obtained by erasing all symbols a m w that do not 
belong to E. For a language L C E°° and a subset 5* C E, 
we denote by L \s the projection of L onto S, which is given 
by L \s.= {uj\s I w e L}. 

Definition 5 (trace-closed language): Given a distribu- 
tion {Ei C E,i e /} and w,w' G E°°, we say that 
w is trace-equivalent to w' (w ^ w' ^) if and only if 
w \'Ei= w' fs-, for all i G I. We denote by [w] the 
trace-equivalence class of w € E°°, which is given by 



[w] := {w' e E= 



'/}. A trace-closed language 



over a distribution {E^ C E, z e /} is a language L such 
that for all w E L, [w] C L. 

'Note that the trace-equivalence relation ~ and class [■] are based on the 
given distribution {Sj C S, i £ /}. For simplicity of notations, we use ~ 
and [■] without specifying the distribution when there is no ambiguity. 



Definition 6 (product of languages): Given a distribution 

{Si C Eji e /}, the product of a set of languages Li over 
Ei is denoted by Li and defined as \\i^i Li :— {w € 
I ts.e for all i G /}. 
Proposition 1: Given a distribution {E^ C E,i e /} of E 
and a word w £ E°°, we have [w] {w ts;}- 

Proof: For all words e [w], according to Def. |5] 
w' fsi^ w fSi7Vi G /. According to Def |6] since w' G E°° 
and w' w fEijVi G /, then w' G||ie/ fs-}. Hence, 

N C||,;gj {W fsj- 

For all words w' G||ig/ {w fs;}, according to Def. |6] 
w ti;i= 'u^' fsi- According to Def. |5] w' ^ w, which implies 
w' G [w\. Hence, {w ts^} Q [w]. Combined with the 
fact that [w] <=\\iei {w tsj, we have [w] ^\\tei {w fsj- 

■ 

We refer to [15], [20] for more definitions and properties 
in concurrency theory. 

III. Problem Formulation and Approach 

Assume we have a team of agents {z | i G /}, where / is a 
label set. We use an LTL formula over a set of properties E to 
describe a global task for the team. We model the capabilities 
of the agents to satisfy properties as a distribution {Ej C 
E, i G /}, where Ej is the set of properties that can be 
satisfied by agent i. A property can be shared or individual, 
depending on whether it belongs to multiple agents or to a 
single agent. Shared properties are properties that need to be 
satisfied by several agents simultaneously. 

We model each agent as a transition system: 

Ti = {Si,S0i,-)-t,'Si,hi),i e L (1) 

In other words, the dynamics of agent i are restricted by 
the transition relation -^i. The output hi{si) represents the 
property that is valid (true) at state Si G Si. An individual 
property a is said to be satisfied if and only if the agent 
that owns <t reaches state Si at which <t is valid (i.e., , 
hi{si) — a). A shared property is said to be satisfied if 
and only if all the agents sharing it enter the states where a 
is true simultaneously. 

For example, % can be used to model the motion capa- 
bilities of a robot (Khepera III miniature car) running in our 
urban-like environment (Fig. [T}, where Si is a set of labels 
for the roads, intersections and parking lots and -^i shows 
how these are connected {i.e., — >i captures how robot i can 
move among adjacent regions). Note that these transitions 
are, in reality, enabled by low-level control primitives (see 
Sec. |V|. We assume that the selection of a control primi- 
tive at a region uniquely determines the next region. This 
corresponds to a deterministic (control) transition system, in 
which each trajectory of % can be implemented by the robot 
in the environment by using the sequence of corresponding 
motion primitives. For simplicity of notation, since the robot 
can deterministically choose a transition, we omit the control 
inputs traditionally associated with transitions. Furthermore, 
distribution {E^ C E, i G /} can be used to capture 
the capabilities of the robots to service requests and task 
cooperation requirements (e.g., some of the requests can be 



serviced by one robot, while others require the collaboration 
of two or more robots). The output map hi indicates the 
locations of the requests. A robot services a request by 
visiting the region at which this request occurs. A shared 
request occurring at a given location requires multiple robots 
to be at this location at the same time. 

Definition 7 (cc-strategy): A finite (infinite) trajectory 
rf = Si(0)s,;(l) . . . Sj(7i) (si(O)si(l) . . .) of Ti defines a 
control and communication (cc) strategy for agent i in the 
following sense: (i) Sj(0) — sq., (ii) an entry Si{k) means 
that state Si{k) should be visited, (iii) an entry Sj(fc), where 
hi{si{k)) is a shared property, triggers a communication 
protocol: while at state Si{k), agent i broadcasts the property 
hi{si(k)) and listens for broadcasts of hi{si{k)) from all 
other agents that share the property with it; when they are 
all received, hi{si{k)) is satisfied and then agent i transits 
to the next state. 

Because of the possible parallel satisfaction of individual 
properties, and because the durations of the transitions are 
not known, a set of cc-strategies {rf, i G /} can produce 
multiple sequences of properties satisfied by the team. We 
use products of languages (Def. |6]l to capture all the possible 
behaviors of the team. 

Definition 8 (global behavior of the team): Given a set 
of cc-strategies {r|,i G /}, we denote 

Cteami{rt,ieI})■.= \\^eI{w^} (2) 

as the set of all possible sequences of properties satisfied by 
the team while the agents follow their individual cc-strategies 
rf, where Wi is the word of % generated by rf. 

For simplicity of notation, we usually denote Cteamii^i, 
i G /}) as Cteam whcn there is no ambiguity. 

Definition 9 (satisfying set of cc-strategies): A set of cc- 
strategies {rf , i G /} satisfies a specification given as an LTL 
formula </> if and only if Cteam 7^ and Cteam ^ C{B^). 

Remark 2: For a set of cc-strategies, the corresponding 
Cteam could be an empty set by the definition of product 
of languages (since there may not exist a word w G E°° 
such that w tsi= Wi for all i G /). In practice, this case 
corresponds to a deadlock scenario where one (or more) 
agent waits indefinitely for others to enter the states at which 
a shared property a is true. For example, if one of these 
agents is not going to broadcast cr but some other agents are 
waiting for the broadcasts of cr, then all those agents will be 
stuck in a deadlock state and wait indefinitely. When such a 
deadlock scenario occurs, the behaviors of the team do not 
satisfy the specification. 

We are now ready to formulate the main problem: 

Problem 1: Given a team of agents represented by Ti, i G 
/, a global specification in the form of an LTL formula 
over E, and a distribution {E^ C E, z G /}, find a satisfying 
set of individual cc-strategies G /}. 

Our approach to solve Prob. [T] can be divided into two 
major parts as shown in Fig [2] checking distributability and 
ensuring implementability. Specifically, we (i) check whether 
the global specification can be distributed among the agents 
while accounting for their capabilities to satisfy properties. 
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Fig. 2. Schematic representation of our approach to Prob. ^ 



and (ii) make sure that the individual cc-strategies are feasi- 
ble for the agents. For (i), we make the connection between 
distributability of global specifications and closure properties 
of temporal logic formulas [16]. Specifically, we check 
whether the language satisfying the global specification 4> 
is trace-closed; if yes, then it is distributable; otherwise, a 
solution cannot be found (see Sec. |1V-A[ ). Therefore, our 
approach is conservative, in the sense that we might not 
find a solution even if one exists. For (ii), we construct 
an implementable automaton by adapting automata-based 
techniques [21], [22] to obtain all the possible sequences 
of properties that could be satisfied by the team, while 
considering the dynamics and capabilities of the agents 



(Sec. IV-B and IV-C i. Finally, an arbitrary word from the 
intersection of the trace-closed language satisfying (f> and 
the language of the implementable automaton is selected to 
synthesize the individual cc-strategies for the agents. 

IV. Synthesis of individual cc-strategies 
A. Checking Distributability 

We begin with the conversion of the global specification (f) 
over E to a Buchi automaton = {Q,Q"\'E,6, F) (Def. 
|4|i, which accepts exactly the language satisfying (j) (using 
LTL2BA [18]). We need to find a local word Wi for each 
agent i such that (i) all possible sequences of properties 
satisfied by the team while each agent executes its local 
word satisfy the global specification (i.e., included in C{Bcf,)), 
and (ii) each local word Wi can be implemented by the 
corresponding agent (which will be detailed in the following 
sub-sections). 

Given the global specification C{B^) and the distribution 
{Si C S, i € /}, we make the important observation that a 




Fig. 3. Biichi automaton C |3j for the case when S = {a, b, c}. Si 

{a, b}, and E2 = {a, c}. Relation I is given by I = {(fe, c), (c, b)}. 



trace-closed language (Def. |5]) is sufficient to find a set of 
local words satisfying the first condition. Formally, we have: 

Proposition 2: Given a language L C and a distribu- 
tion {Sj C S,i G J}, if L is a trace-closed language and 
w e L, then ||i {w fsj C L. 

Proof: Follows from Prop. [T] and the definition of the 
trace-closed language. ■ 

Thus, our approach aims to check whether C{B^) is trace- 
closed. If the answer is positive, by Prop. [2] an arbitrary 
word from C{B^) can be used to generate the suitable set of 
local words by projecting this word onto S^. The algorithm 
(adapted from [16]) to check if C{B(f,) is trace-closed can be 
viewed as a process to construct a Biichi automaton A, such 
that each word accepted by A represents a pair of words 
w and w' , such that w € C[B^), w' ^ C{B^), and w ^ w' 
(i.e., w is trace-equivalent to w'). Thus, if A has a non-empty 
language, £{B^) is not trace-closed. 

To obtain A, we first construct a Biichi automaton, denoted 
by C, to capture all pairs of trace-equivalent infinite words 
over E. Given the distribution {Ej C E,« e /}, we define 
a relation I such that {a, a') e I if there does not exist Ej, 
« e / such that cr, (t' G E;. Formally, C is defined as 



(3) 



where Ec = I U {(cr, cr) | cr e E} and Fc = {gco}- The 
transition function 8c is defined as (a) for all cr G E, there 
exists gco = ^c(9Co; (^j ''■))' ™d (b) for all (cr, cr') G I, there 
exists a state qc ^ qcg such that qc — 5c{qcoi {'^t<^')) ™d 
9Co — ^cilCi ("■'jf))- In other words, to obtain C, we first 
generate the initial state and then add a new state and the 
corresponding transitions for every member of I. Thus, the 
number of states is |I| + 1. A simple example to illustrate 
the construction of C is shown in Fig. [3] 

Next, we construct a Biichi automaton Ai to accommodate 
words from £{B^). A word accepted by Ai is a 

sequence (cti, cr5^)(cr2, CTj) . . .. We use w^Ji and ^^^12 to 
denote the sequence cricr2 . . . and a'ia'2 ■ ■ ., respectively. For 
each word w^-^ accepted by Ai, we have w^Ji G C{B^) 
and w^j2 G S". Similarly, we construct another Biichi 
automaton A2 to capture words that do not belong to C{B^), 
i.e., for each word Wj^^ G £(^12), w^2li ^ ™d wa2\2 ^ 
C{B^) always hold. 

Finally, we produce the Biichi automaton A such that 
C{A) = C{C) f^ C{Ai) f^ C{A2) by taking the intersections 
of the Biichi automata. According to [16], C{Bcf,) is trace- 
closed if and only if £{A) = 0. The construction of the 



intersection of several Biichi automata is given in [17]. We 
summarize this procedure in Alg. [T] 

Algorithm 1 : Check if C{B) is ti-ace-closed 

Input: A Buchi automaton B = {Q, Q"\ S, 5, F) (Def. ^ 

and a distribution {S^ C E, i e /} 
Output: Yes or No 
1: Construct C as defined in (|3]l 

2: Construct Ai = (Q, Q"', S^^ , , i^), where C 
£ X E and 5j(^ : Q x 2*3 is defined as q' e 

<5^i(9, (c^i,cr2)) if and only if q' e S{q,(Ti) 

3: Construct = (Q, Q"', S^^, (5^2, i^), where ^ 
E X E and : Q x -> 2^^ is defined as q' e 
(^^^2(9, {o'i.o-2)) if and only if q' e S{q,a2). 

4: Construct ^ such that C{A) = C{C) n £(^1) n £(^^2) 

5: if C{A) = return Yes else return No 



B. Implementable Local Specification 

In the case that C{B^) is trace-closed, the global specifi- 
cation is distributable among the agents. We call C{B^) ts, 
the "local" specification for agent i because of the following 
proposition. 

Proposition 3: If a set of cc-strategies {rf, i e /} is a 
solution to Prob. [T] then the corresponding local words w![ 
are included in C{Btt,) ts; for all i e /. 

Proof: If a set of cc-strategies {rf,i e /} is a 
solution to Prob. [T] then we have C L{B^) and 

7^ 0. We can find a word wi G ||ig/{u;f} C 
C{B^), such that = wi for all i £ I. Since 7«f = 
wi ts, and lui C{B^) fs,, we have ti;f e £(^0) ts,- 

■ 

Given the agent model %, some of the local words might 
not be feasible for the agent. Therefore, we aim to con- 
struct the "implementable local" specification for each agent; 
namely, it captures all the words of C{B^) that can be 
implemented by the agent. To achieve this, we first produce 
an automaton that accepts exactly the local specification. 

Note that the projection of the language satisfying the 
global specification that includes only infinite words on a 
local alphabet might contain finite words. For example, 
given an infinite word w — baaa . . ., if a ^ E^, the projection 
of this word is b. Therefore, the local specification for each 
agent might have both finite and infinite words. To address 
this, we employ a mixed Biichi automaton introduced in [22]. 
The mixed Biichi automaton is similar to the standard Biichi 
automaton defined in Def. |4] except for it has two different 
types of accepting states: finitary and infinitary accepting 
states. Formally, we define the mixed Biichi automaton as 

B^^ := {Q, Q"\ E, (5, F, F^"') (4) 

where F stands for the set of infinitary accepting states 
and F-^"' represents the set of finitary accepting states. 
The mixed Biichi automaton accepts infirute words by us- 
ing the set of infinitary accepting states, with the same 
acceptance condition as defined in Def. |4] A finite run 



^/in — g(0)g(l) . . . q{n) of B^^ over a finite word w-^*" = 
w(0)w(l) . . . w(n) satisfies q(0) G and q{i + 1) € 

(5(g(i), for all < i < n. B^^ accepts a finite 

word w-'^*" if and only if the finite run r-'^*" over w^™ 
satisfying q(ri) G pS^n ^ ^^jj ^ finitary accepting state 
q e F^™ terminal if and only if no transition starts from q. 
We assume that all the finitary accepting states are terminal in 
this paper An algorithm to obtain a mixed Biichi automaton 
S« = (g^,Qr.S^-<5»,^»,^;^"') which accepts C{B^) [s, is 
summarized in Alg. |2] 

Algorithm 2 : Construct Bi where L[Bi) = C{B) 

Input: B = (Q, Q™, E, S, F) and a subset E, C E 
Output: B, = {Q,,QI^,Eb^,5,,F,,f/"') 
1: Construct S| = (Q^, Q^'" , E^, F/), where Qj = Q, 

Q£.„ = q™, S| = Ei U {e}, F/ = F and Sf is defined 

as q' £ (5f(q, (t) iff q' £ S{q,a) and a £ E^, and q' £ 

(5|(g,e) iff 3a £ E\E, s.t., q' £ 6{q,a). 
2: For all states q of Bf, we take the e-closure [23] of q, 

denoted as eclose{q). 
3: Build 6, = (Q„Qr.Se.,'5„F„^;^™), where Q, = 

Ql = gj-, Eg, = E„ 5, is defined as q' £ 

S,{q,a), iff 3q" £ eclose{q), s.t., q' £ dl{q",a), F, = 

F^' and f/" - 0. 
4: Obtain F/"' by adding a new state q^'" to F/*" for 

each q £ Fi where a loop q A qi A (72 • ■ ■ -> 9 in S| 

exists 
5: Add i^-^" to Q,. 

6: For each state qf^"" £ f/^"", we have q-'^™ £ 6i{q',a) 
if and only if the state's corresponding state of q e F^ 
satisfying q £ 5i{q',a) 

7: return Bi = (Qi, Qf , Sg, , 5^ , F^ , f/*" ) 



Proposition 4: The language of the mixed Biichi automa- 
ton B, = [Qi.Qt. F,, f/'") constructed in Alg. [2] is 
equal to £(^0) ts^- 

Proof: By construction, Bl accepts C{B) \^^. To prove 
the above proposition, we first prove the following statement: 
Bi obtained by Alg. |2] accepts the same infinite language as 
Bl does. For the infinite language, we only need to consider 
Bi constructed in step 3 of the algorithm since step 4, 5, 
and 6 are only related to the finite language. From now on, 
Bl = {Qi,QY',Y,„Si,Fi,F/'") refers to B., constructed in 
step 3. 

We define Si{Qi,w), Qi C Qi inductively to represent a 
set of states that can be reached from Qi after taking w = 
w{l)w{2) . . . 'w{n) as inputs. Formally, we define iJ^ for a 
Biichi automaton's transition function Si by: 

Basis: Si{Qi, e) = Qi- That is, without reading any input 
symbols, we are only in the state we began in. 

Induction: Suppose w is of the form w — xa, where a is 
the final symbol of w and x is the rest of w. Also suppose 
that 6i{Qi,x) ^ {qi,q2, ■ ■ Let 

k 

U MUA^o,) = {ri,r2,...,rjn} 



Then 6i{Qi,w) = {ri, r2, . . . , r,,,}. Less formally, we 
compute Si{Qi,w) by first computing di{Qi,x), and then 
following any transition from any of these states that is 
labeled a. 

Similarly, for the Biichi automaton with e-transitions, 
d'i{Q2,w), Q2 Q Ql, is defined to represent the set of 
states, which can be reached from the set of the states 
Q2 after taking a sequence of transitions given the input 
sequence w, while accounting for the transitions that can be 
made spontaneously {i.e., e-transitions). With slight abuse of 
notation, we denote (5|((52,a) = U^eQa '^f '^)- Formally, 
we define for the transition function ->g of a Biichi 
automaton with e-transitions as following: 

Basis: ?|(Q2,e) = ^2- 

Induction: Suppose w is of the form w ~ xa. Also 
suppose that Sl{Q2,x) = {gi, 92, • ■ • , Qk}- Let 

k k 

U Sti{qj},a) = [j Sl{eclose{qj),a)) 

= {ri,r2, . ■ . ,r^} 

Then 5jXQ2,w) — {ri, r2, . . . , r,„}. Less formally, we 
compute SI{Q2,w) by first computing Sf{Q2,x), then fol- 
lowing any e-transition from any of these states, and finally 
following any transition from the reached states that is 
labeled a. 

To prove the statement, what we prove first, by induction 
on \w\, where w — w{l)w{2) . . . w{n) G S*, is that 

UQT,w)^St{Q''r,w). (5) 

Basis: Let \w\ — 0; that is, w = e.By the basis definitions 
of S^ and ?|, 6,{Qr,w) = Ql" and 6l{Q'r,w) = Q^"\ 
Since g™ = Ql^" = Qi, (js} holds. 

Induction: Let w be of length n + 1, and assume (jSj) 
for length n. Break w as w = xa. Let the set of states 
in Qi be {qi,q2, ■ ■ ■ ,qk} and the set of states in Qj be 

{ql,qh---^ ql}' ™d = q^, i<j<k. 

By the construction of — J^g., we have q £ 6i{{qj},a) 
if and only if g G 5f{eclose{qj),a). By definition, since 
6i{{qj},a) — 6i{eclose{qj),a)) and = qj, we have 
Uj=i = Uj=i'^|({gj},a)- Therefore, we have 
l{Qr,w) = St{Qr,w). 

When we observe that Bi constructed in step 3 and Bf 
accept an infinite word if and only if this word visits the 
accepting states Fi and Ff infinitely many time. Since Fi = 
Ff, and Si{Qf^, w) — (5|((3^'", w), we have a proof that the 
two Biichi automata accept the same infinite language. 

Next, we consider the finite language. From now on, 
I3^ = (0,, Qr, S., <5^, F,, Ff"') refers to B^ returned by the 
algorithm. Note that a finite word is accepted by B^ if and 
only if its corresponding run ends at one of the accepting 
states q*^ G Ff, such that there exists a loop starting from 
and ending at it, with only e-transitions. By the construction 
of Bi, for the state g^, there exist two corresponding states: 
q G Fi and q^"^ G f/™. Note that a run over a word can 
reach q^"^ if and only if it can reach q. Because of (pjl, a finite 



word, whose corresponding run on Bi can reach q <E Fi and 
qfirt g pfi-n ^jjj Qjjjy corresponding run on BI can 
reach g*^ e Ff, which implies that this finite word is accepted 
by both Biichi automata. Hence, we have a proof that the 
two Biichi automata accept the same finite language. Since 
BI and Bi have the same language, the proof is complete. 

■ 

Inspired from LTL model checking [21], we define a 
product automaton to obtain the implementable local spec- 
ification. First, we extend the transition system Ti with a 
dummy state labelled as Start that has a transition to the 
initial state sq^ . The addition of this dummy state is necessary 
in the case that the initial state already satisfies partially the 
local specification. Let % be the extended finite transition 
system, then 

Ti = iSi,s^,,^i, E, hi) (6) 

where Si = SiU {Start}, sq. — Start, ^i U -^s 

where -^g is defined as Start — >s sq., S = S and hi is the 
same output map as hi but extended by mapping the Start 
state to a dummy observation. Note that % and % generate 
the same language. 

Now, consider the transition system % that describes 
the dynamics of agent i and Bi that represents the local 
specification for agent i. The following product automaton 
captures all the words in C{Bi) that can be generated by 
agent i. 

Definition 10: The j)roduct automaton Fi — % <E) Bi 
between a TS 7i = {Si,s^.,^i,Y.,hi) and a mixed Biichi 
automaton Bi = {Qi,Ql",'Si3-,6i, Fi, f/"^), is a mixed 
Biichi automaton E, = {Qe^,Q'£\,T.e^,Se^, Fe^, F^^), 
consisting of 

• a set of states Qsi ^ Si x Qi, 

• a set of initial states Q^. = Sq^ x Q™-; 

• a set of inputs Sb, = Sg. ; 

• a transition function 5Ei defined as (s', q') G 
SEi{{s,q),h,{s')) iff s^iS' and q' £ Si{q,hi{s')); 

• a set of infinitary accepting states Fe- = Si x Fi; 

• a set of finitary accepting states F^*" — Si x f/^". 

Informally, the Biichi automaton Bi restricts the behav- 
ior of the transition system % by permitting only certain 
acceptable transitions. Note that we modify the traditional 
definition of product automata [19] to accommodate the 
finitary accepting states. An example showing how to con- 
struct the product automaton given a transition system and a 
mixed Biichi automaton is illustrated in Fig.|4] The following 
proposition shows that C{Ei) is exactly the implementable 
local specification for agent i. 

Proposition 5: Given any accepted word w of Bi, there 
exist at least one trajectory of % generating w if and only if 
w G C{Ei). 

Proof: "-4=": Given an infinite word w G C{Ei), there 
exists an infinite run r^;. — {Start, qi{l)){si{l), qi{2)) .. . 
of Ei which generates w, where s(l) = sq.. We define 
the projection of onto % as jTii'f'Ei) = Si{l)si{2) . . .. 
By the definition of the product automaton, 7Ti(^Bi) is an 
infinite trajectory of Ti generating w, which is a word of Bi. 




Given a finite word w-^'" e C{Ei) with length 
k, there exists a finite run in the form of r^^ = 
(Start, g,(2)) . . . {s,(k),q,{k + l)) of E, which 

generates w. The projection of r^. on 7^ can be written 
as Si{l)si{2) . . . Si{n). By the definition of the product 
automaton, Si(l)s,;(2) . . . Si(n) is a finite trajectory of Ti 
generating the finite word w^™, which means there exists 
a trajectory of Ti generating w^"^^ G C{Bi). 

"=>": Given an infinite word w — u;(l)ii;(2) . . . accepted 
by Bi and a trajectory tt- ~ Si{l)si{2) . . . of % satisfying 
w, then we have Si{j) Si{j + 1) and w{j) = hi{si{j)) 
for all j > 1. Given w, we can find an accepted run 
of Bi, denoted by qi{l)qi{2) . . ., which generates w. Ac- 
cording to (j6]l and Def. [TO] there must exist a run r^. — 
{Start, qi{l)){si{l), qi{2)) . . ., which is accepted by Ei and 
generate word w. Hence we have w G C{Ei). 

Similarly, given a finite word w^"'' £ C{Bi) with length k 
and a trajectory r-y. — 5^(1)5^(2) . . .Sj(fc) of % generating 
w^"^, then we have Si(j) — s-^ Si{j + 1) and w{j) = hi{si{j)) 
for all 1 < J < fc. Given w^"^, we can find an accepted run 
of Bi, denoted by qi{l)qi{2) . . .qi{k + 1), which generates 
w. According to ^ and Def. [TO] there must exist a run 
r^, = {Start,qil)){s,il),q{2)) . . .{s,{k),q{k + l)), which 
is accepted by Ei and generate word w^*". Hence we have 

wf'"^ e C{E,). m 

C. Implementable Global Behaviors 

To solve Prob. [T] we need to select a word w satisfying 
the (trace-closed) global specification and also guarantee that 
Wi = w is executable for all the agents i G I. Such a 
word can be obtained from the intersection of the global 
specification and the implementable global behaviors of the 
team, which can be modeled by the synchronous product of 
the implementable local Biichi automata Ei. 

Definition 11 ([22]): The synchronous product of n 
mixed Biichi automata Ei = {QEi,QE.,'^Ei,SEi, Fsi), de- 
noted by Wf^i Ei, is an automaton V — [Qv, Qv' ^'P' '^'p)' 
consisting of 

• a set of states Q-p = Qe^ ^ ■ ■ ■ >^ Qe„', 

• a set of initial states = x . . . x ; 

• a set of inputs S-p = U"^;^^^;; 



• a transition function 6-p : Q-p x 2*5^ defined as 

q' € S'p{q,a) such that if i G la, q'[i] G Si{q[i],(T), 
otherwise q[i] = q'[i], where 1^ = {i & {1, ■ ■ ■ ,n} \ 
a € Ei} and q[i] denotes the ith component of q. 
The synchronous product composes n components, each 
of which represents the implementable local specification Ei 
for agent i. The synchronous product captures the synchro- 
nization among the agents as well as their parallel executions. 
Informally, a word w is accepted by V if and only if for each 
i ^ I, w is accepted by the corresponding component Ei. 
A method to find an accepted word of V is given in [22]. 
The next proposition shows that C{V) captures all possible 
global words that can be implemented by the team. 

Proposition 6 ([22]): The language of V, where V =||ie/ 
Ei, is equal to the product of the languages of Ei (i.e., \\i^i 
C(E,)). 

Finally, we can produce the solution to Prob. [T]by selecting 
an arbitrary word w from C(V) nC(Bcj,), obtaining the local 
word Wi = w ™d generating the corresponding cc- 
strategy rf for each agent. To find w E C(V) C\ C(B^), we 
can construct an automaton to accept C(V)r\C(B^) because 
of the following proposition: 

Proposition 7 ([22]): Let and he two synchronous 
products of mixed Biichi automata. Then a synchronous 
product can be effectively constructed such that C(V^) = 

£(pi)n£(p2). 

Specifically, we treat B^ as a synchronous product with 
one component that includes only infinitary accepting states. 
The overall approach is summarized in Alg.[3] The following 
theorem shows that the output of Alg.|3]is indeed the solution 
to Prob. [1] 

Theorem 1: If C(B^) is trace-closed, the set of cc- 
strategies {rf, G /} obtained by Alg. |3] satisfies \\i^i {wi} ^ 
and llig/ {wi} C C(Btj,), where Wi is the corresponding 
word of Ti generated by r^. 

Proof: Since w G C(B^) and C(B^) is trace-closed, 
according to Prop: |2j we have {wi} C C(B^). Since 
w G||ig/ {wi}, we have {wi} ^ 0. Since w G C(V) 
and £(7^) =||je/ we have w G||ie/ According 

to Def. |6] Wi G C(Ei). According to Prop. |5] there exists a 
trajectory of T rf generating Wi, for all « G /. ■ 



Algorithm 3 : Synthesis of a set of cc-strategies for a team 
of agents from a global specification 

Input: A LTL formula 4> over E, a distribution {S^ C 

S, « G /}, and a set of transition systems {%, i E 1} 
Output: A set of cc-strategies {rf , i E 1} 

Convert to a Biichi automaton using LTL2BA [18] 
Run Alg. [1] 

if C{B^) is not trace-closed then 

return solution not found 
else 

Construct Bi using Alg. |2]for each i E I 
Construct Ei=Ti®Bi (Def. [TO]) for each i E I 
Construct V (Def. 1 1 1 and then construct a syn- 
chronous product accepting C{V) n C{B^) 
if C{V) n £(60) = then 

return solution not found 
else 

Obtain w E C{V) n C{B^) 
Obtain a set of local words {wi = w E 1} 
Construct a set of automata E I}, each of 

which accepts only the word Wi. 
Construct = Bf 
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10: 

11 
12 
13 
14: 

15: 
16: 

17 
18 
19 



Ti (Def. 10 1 for alH e / 



Find an accepted run of Ef and project rt on Ti 
to obtain for all i E I. 
return {rf , i E 1} 
end if 
end if 



Remark 3 (Completeness): In the case that C{B^) is 
trace-closed, our approach is complete in the sense that we 
find a solution to Prob. [Tjif one exists. This follows directly 
from Prop.|5]and the fact that C{V) C{E,). If C{B^) 

is not trace-closed, a complete solution to Prob. [T] requires 
one to find a non-empty trace-closed subset of C{B^) if 
one exists. This problem is not considered in this paper 
Therefore, our overall approach to Prob. [T| is not complete. 

Remark 4 (Complexity): From a computational complex- 
ity point of view, the bottlenecks of the presented approach 
are the computations relating to V, because \Q-p\ is bounded 
above by Yiiei IQsil and the upper bound of jQ^jJ is 0(|Q| • 
\Si\). For most robotic applications, the size of the task 
specification [i.e., \Q\) is usually much smaller comparing to 
the size of the agent model (i.e., \Si\). Therefore, if we can 
shrink the size of Q^^ by removing the information about 
the agent model from Ei, we can reduce the complexity 
significantly. Such reduction can be achieved by using LTL 
without the next operator and taking a stutter closure of Ei. 
This will be addressed in our future work. 

V. Automatic Deployment in RULE 

In this section, we show how our method can be used to 
deploy a team of Khepera III car-like robots in our Robotic 
Urban-Like Environment (Fig. [T]i. The platform consists of 
a collection of roads, intersections, and parking lots. Each 
intersection has traffic lights. The city is easily reconfigurable 
by re-taping the platform. All the cars can communicate 
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Fig. 5. Transition system 7i for robot 1. The states represents the vertices 
in the environmental graph (Fig. sqi shows that robot 1 starts at -Ri^; 
— >i captures the connectivity between the vertices; hi captures the locations 
of the unsafe regions and the requests. The dummy request zui is assigned 
to all the vertices that have no property and is omitted in this figure. 



through Wi-Fi with a desktop computer, which is used as an 
interface to the user (i.e., to enter the global specification) 
and to perform all the computation necessary to generate the 
individual cc-strategies. Once computed, these are sent to 
the cars, which execute the task autonomously by interacting 
with the environment and by communicating with each other, 
if necessary. We assume that inter-robot communication is 
always possible. 

We model the motion of each robot in the platform using 
a transition system, as shown in Fig. |5] The set of states 
Si is the set of labels assigned to roads, intersections and 
parking lots (see Fig. [T]) and the relation — >i shows how 
these are connected. We distinguish one bound of a road 
from the other since the parking lots can only be located 
on one side of each road. For example, we use Rir and 
Rii to denote the two bounds of road Ri. Each state of Ti 
is associated with a set of motion primitives. For example, 
at region Rir, which corresponds to the access point for 
parking lot Pi (see Fig. |5]l, the robot can choose between two 
motion primitives: follow_road and park, which allow 
the robot to stay on the road or turn right into Pi. If the robot 
follows the road, it reaches the vertex I2, where three motion 
primitives are available: U_turn, turn_right_int, and 
go_straight_int, which allow the robot to make a U- 
turn, turn right or go straight through the intersection. It 
can be seen that, by selecting a motion primitive available 
at a region, the robot can correctly execute a trajectory of 
Ti, given that it is initialized at a vertex of T- The choice 
of a motion primitive uniquely determines the next vertex. 



In other words, a set of cc-strategies defined in Sec. Ill 



and obtained as described in Sec. IV can be immediately 
implemented by the team. 

Assume that service requests, denoted by Hi, H2, Li, L2 
and L3, occur at parking lots Pi, P2, P4, P5 and P3, respec- 
tively. "H" stands for "heavy" requests requiring the efforts 
of multiple cars while "L" represents "light" requests that 



only need one car to service. Specifically, Hi is shared by 
all three cars and H2 is shared between car 1 and 2. As we 
can see in Fig. [T] the number of parking spaces of a parking 
lot equals the number of cars needed to service the request 
that occurs at this parking lot. For example. Pi where Hi 
occurs has three parking spaces. Besides the set of requests, 
we also consider some regions to be unsafe. In this example, 
we assume that intersection is unsafe for all robots before 
request Hi is serviced. We use the output map hi of Ti 
(see Fig. |5]) to capture the locations of requests and unsafe 
regions. A "dummy request" tn^ is assigned to all the other 
regions. We use a special semantics for Wi'. a robot does not 
service any request when visiting a region where Wi occurs. 

We model the capabilities of the cars to service requests 
while considering unsafe regions as a distribution: Ei = 
{Hi, H2,Li,lluji},J:2^ {Hi, H2, 12,11,^2} and = 
{Hi, L^,ll, 073}. Note that we treat the unsafe region as 
an independent property assigned to each car since it does 
not require the cooperation of the cars. We aim to find a 
satisfying set of individual cc-strategies for each robot to 
satisfy the global specification 0, which is the conjunction 
of the following LTL formulas over the set of properties 
E = {Hi,H2,Li,L2,L3,I^,I^,li,iui,W2,nj3}: 

1) Request H2 is serviced infinitely often. 

2) First service request Hi, then service request Li and 
L2 regardless of the order or request L3. 

0(i?i A A L2) V 0^3)) 

3) Do not visit intersection 13 until Hi is serviced. 

^{I'^yilviDu Hi 

By applying Alg. [3] we first learn that the language satis- 
fying (f) is trace-closed. Then, we obtain the implementable 
automaton Ei as described in Sec. IV-B| and IV-C 

Finally, we choose a word w G C{B^) O C{\\i^i Ei) and 
project w on the local alphabets E^, i e {1,2,3} to obtain 
the local words, which lead to the following cc-strategies: 



r1 = RlrhR2rhRlrPlRlrhRsrhRirhRirP2P2 
rl = RirhRlrPlRlrhR2rhR5lhRzrP2P2 
rl = R2rhRlrPlRlrl2RllPi. 

The language satisfying the global specification (j) includes 
only infinite words. Hence, both cars 1 and 2 have infinite 
cc-strategies, since H2 needs to be serviced infinitely many 
times. Note that car 3 has a finite cc-strategy. The synchro- 
nization is only triggered when the cars are about to service 
shared requests, i.e., when at Pi and P2. Besides these 
synchronization moments, the cars follow their cc-strategies 
and execute their individual tasks in parallel, which speed 
up the process of accomplishing the global task. Snapshots 
from a movie of the actual deployment are shown in Fig. 
|6] The movie of the deployment in the RULE platform is 
available at http://hyness.bu.edu/CDC2011. 




Fig. 6. Six snapsliots from tlie deployment con'esponding to the given 
cc-strategies. Tlie labels for the roads, intersections, and parking spaces are 
given in Fig.^ (1) the position of the cars immediately after the initial time, 
when robots 1, 2 and 3 are on roads -Ri,., Rbr and R2r, respectively; (2) 
robot 2 is waiting for the other two robots to enter parking lot Pi at which 
the heavy request H\ occurs; (3) both robots 2 and 3 are at Pi waiting for 
robot 1 ; (4) all thi'ee robots are at Pi simultaneously, and therefore request 
H\ is serviced; (5) robot 3 services the light request L3 at P3 and finishes 
its task; (6) eventually robots 1 and 2 stop at P2 and service H2 together 
infinitely many times. 



VI. Conclusions and Future Works 

We present an algorithmic framework to deploy a team 
of agents from a task specification given as an LTL formula 
over a set of properties. Given the agent capabilities to satisfy 
the properties, and the possible cooperation requirements 
for the shared properties, we find individual control and 
communication strategies such that the global behavior of 
the system satisfies the given specification. We illustrate the 
proposed method with experimental results in our Robotic 
Urban-Like Environment (RULE). 

As future work, we will consider reducing the compu- 
tational complexity and applying this approach to a team 
of agents with continuous dynamics. Also, we plan to 
accommodate more realistic models of agents that can cap- 
ture uncertainty and noise in the system, such as Markov 
Decision Processes(MDP) and Partially Observed Markov 
Decision Processes(POMDP), and probabilistic specification 
languages such as PLTL. 
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